Bug 624547 - attrcrypt should query the given slot/token for supported ciphers
attrcrypt should query the given slot/token for supported ciphers
Product: 389
Classification: Community
Component: Security - General (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Rich Megginson
Ben Levenson
Depends On:
Blocks: 639035 389_1.2.8
  Show dependency treegraph
Reported: 2010-08-16 16:34 EDT by Marco Rhodes
Modified: 2015-12-10 13:38 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-12-10 13:38:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
git patch file (master) (1.53 KB, patch)
2011-01-24 20:35 EST, Noriko Hosoi
no flags Details | Diff
git patch file (master) (15.32 KB, patch)
2011-01-27 15:01 EST, Noriko Hosoi
nkinder: review+
Details | Diff

  None (edit)
Comment 4 Noriko Hosoi 2011-01-24 20:35:21 EST
Created attachment 475097 [details]
git patch file (master)

The reported problem was caused by the bug in ldbm_attrcrypt.c which did not expect to have an external PKCS #11 token.  This patch successfully initializes ldbm_attrcrypt.

But ldbm_attrcrypt fails once trying to encrypt an attribute. e.g.:
dn: cn=givenname,cn=encrypted attributes,cn=userRoot,cn=ldbm database,cn=plugi
objectClass: top
objectClass: nsAttributeEncryption
cn: givenname
nsEncryptionAlgorithm: AES [ or 3DES ]

error log:
[..] attrcrypt - _back_crypt_crypto_op: failed on cipher AES : -8192 - An I/O error occurred during security authorization.
[..] - Error: attrcrypt_crypto_op_values failed in attrcrypt_encrypt_entry
[..] - attrcrypt_encrypt_entry failed in id2entry_add
Comment 7 Noriko Hosoi 2011-01-27 15:01:46 EST
Created attachment 475673 [details]
git patch file (master)

1. To retrieve a certificate from an external token (i.e., not
   "internal (software)"), "<token>:<cert_nickname> should have
   been passed.  The <token> part was missing.
2. The key to be used for encryption and decryption internally
   needs to have ENCRYPT and DECRYPT attribute set, respectively.
   The correct attributes were not set.  Note: these attributes
   are automatically set for the softoken in nss, but not for the
   external token.  This is why attrcrypt worked for the softoken,
   but not for the external token.  The attributes need to be set
   when the key is generated as well as when the key is unwrapped.
3. Adding a code to check if the underlying system supports the
   cipher or not before generating a key.  If it is not supported,
   it issues a message not to choose the cipher for the attrcrypt/
   changelog encryption.  If none of the ciphers are supported and
   if attrcrypt/changelog encryption is enabled, the server fails
   to start.
Comment 8 Noriko Hosoi 2011-01-27 15:42:30 EST
Reviewed by Nathan (Thank you!!!)

Pushed to master.

$ git merge 624547
Updating 7ece306..57dcdf1
 ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c |  141 ++++++++++++++++++++----
 ldap/servers/slapd/proto-slap.h               |    3 +
 ldap/servers/slapd/security_wrappers.c        |   36 ++++++-
 3 files changed, 151 insertions(+), 29 deletions(-)

$ git push
Counting objects: 17, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (9/9), done.
Writing objects: 100% (9/9), 3.26 KiB, done.
Total 9 (delta 7), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   7ece306..57dcdf1  master -> master
Comment 11 Chandrasekar Kannan 2011-07-19 10:07:01 EDT
I tried to verify this bug. But I was not able to setup ds (use the wizard and generate key pair to setup ssl certs) with our newest nethsm6k.dsdev.sjc.redhat.com. that hardware token is in fips mode. my machine is selinux permissive. I'm still troubleshooting the problem.

Note You need to log in before you can comment on or make changes to this bug.